[Snort-sigs] Sid 1149 - too many FPs

Schmehl, Paul L pauls at ...1311...
Thu Feb 27 20:11:19 EST 2003


web-cgi.rules:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
count.cgi access"; flow:to_server,established; uricontent:"/count.cgi";
nocase; reference:bugtraq,128; reference:cve,CVE-1999-0021;
reference:nessus,10049; classtype:web-application-activity; sid:1149;
rev:9;)

I've disabled this rule because of too many FPs.  We have a count.cgi
script on our portal that triggers this alert, even though it's not
vulnerable.  *However*, I wonder if this rule shouldn't be modified to
be more selective?

Right now it just looks for count.cgi, which can be triggered by *any*
script with that name.  The exploit on bugtraq (bid/128) shows that some
additional information is required in the GET in order to exploit the
buffer overflow.

Specifically:
"/* Choose what to do here */ 
printf("GET /cgi-bin/Count.cgi?%s\n\n",qs); 
/*fprintf(stderr,"\n\nadresse: %x0x\n",stack); 
printf("GET /cgi-bin/Count.cgi?%s HTTP/1.0\nUser-Agent:
%x\n\n",qs,stack); 
setenv("QUERY_STRING",qs,1); 
system("/usr/local/etc/httpd/cgi-bin/Count.cgi"); 
system("/bin/sh");*/"

Wouldn't this be improved by adding some additional checks, such as:

content: "/count.cgi?"; nocase; content: |3a 3a|; within: 50; or
something to that effect?

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/





More information about the Snort-sigs mailing list